if you want to remove an article from website contact us from top.

    the ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

    James

    Guys, does anyone know the answer?

    get the ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. from EN Bilgi.

    amazon ec2

    Anyone able to get ansible's: ansible_connection: aws_ssm working? AFAICT this should be a drop in replacement for ssh: https://docs.ansible.com/ansible/latest/collections/community/aws/

    Ansible & AWS SSM connectivity/plugin & “ciphertext refers to a customer master key that does not exist”

    Ask Question Asked 9 months ago

    Modified 3 months ago

    Viewed 3k times 2

    Anyone able to get ansible's: ansible_connection: aws_ssm working?

    AFAICT this should be a drop in replacement for ssh: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ssm_connection.html

    My playbook runs with ssh, but not ssm:

    ---

    - name: Test command

    gather_facts: false hosts: all vars:

    ansible_connection: ssh

    # ansible_connection: aws_ssm <--- this one no worky

    ansible_aws_ssm_region: eu-central-1

    tasks: - name: test command: cmd: ls -l Running using:

    ansible-playbook -i inventory_aws_ec2.yml --limit nghc-sbox2-bastion test.yml -vvvv

    I’m missing something on the ansible SSM config. The error is: (from /var/log/amazon/ssm/amazon-ssm-agent.log)

    2021-08-10 23:48:51 INFO [ssm-session-worker] [[email protected]] [DataBackend] [pluginName=Standard_Stream] Initiating Handshake 2021-08-10 23:48:54 ERROR [ssm-session-worker] [[email protected]] [DataBackend] [pluginName=Standard_Stream] Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

    The ansible output is no more helpful:

    EXEC stdout line: EXEC stdout line: Starting session with SessionId: [email protected] EXEC remaining: 60 EXEC remaining: 59 EXEC stdout line: EXEC stdout line: EXEC stdout line: SessionId: [email protected] : EXEC stdout line: ----------ERROR------- EXEC stdout line: Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. EXEC stdout line: status code: 400, request id: 53549e47-03a1-4a1f-8f30-8f0c27482cc5 EXEC stdout line: EXEC stdout line: ssm_retry: attempt: 0, caught exception(local variable 'returncode' referenced before assignment) from cmd (echo ~...), pausing for 0 seconds CLOSING SSM CONNECTION TO: i-0c208bc6d31fa6bf1 TERMINATE SSM SESSION: [email protected] ESTABLISH SSM CONNECTION TO: i-0c208bc6d31fa6bf1 SSM COMMAND: ['/usr/local/bin/session-manager-plugin', '{"SessionId": "[email protected]", "TokenValue": "......Gsoj8bEu3d9s=", "StreamUrl": "wss://ssmmessages.eu-central-1.amazonaws.com/v1/data-channel/[email protected]?role=publish_subscribe", "ResponseMetadata": {"RequestId": "8d20fbe9-d3d2-44e7-a832-a1d4d86861a9", "HTTPStatusCode": 200, "HTTPHeaders": {"server": "Server", "date": "Wed, 11 Aug 2021 00:43:13 GMT", "content-type": "application/x-amz-json-1.1", "content-length": "651", "connection": "keep-alive", "x-amzn-requestid": "8d20fbe9-d3d2-44e7-a832-a1d4d86861a9"}, "RetryAttempts": 0}}', 'eu-central-1', 'StartSession', '', '{"Target": "i-0c208bc6d31fa6bf1"}', 'https://ssm.eu-central-1.amazonaws.com'] SSM CONNECTION ID: [email protected] EXEC echo ~ _wrap_command: 'echo QTPJHrIizAXitS...

    My SSM is setup correctly for other functionality. I’m able to ssh over ssm and run remote playbooks via ssm, just not use the: ansible_connection: aws_ssm connection mechanism.

    amazon-ec2

    ansible

    aws-ssm

    Share

    Improve this question

    asked Aug 11, 2021 at 0:48

    Bruce Edge

    1,74520

    20 silver badges

    31

    31 bronze badges

    Possibly github.com/ansible-collections/community.aws/issues/113 –

    Bruce Edge

    Aug 11, 2021 at 0:55

    Add a comment

    2 Answers

    1

    Don't disable KMS encryption as some SSM services won't work.

    The right solution is to go to Key Management Service (KMS), select Customer managed keys and select the key you are using.

    There you can add the role that your EC2 instances are using as users to that key.

    Share

    Improve this answer

    edited Jan 25 at 12:26

    answered Jan 20 at 14:48

    Carlos B

    3962

    2 silver badges

    9

    9 bronze badges

    What do mean by 'hit', and how do you know what key is in use by SSM? –

    Bruce Edge

    Jan 21 at 20:05

    Hi, by "hit" I meant click. –

    Carlos B

    Jan 24 at 21:21

    For the Key, go to "sessions manager" -> "preferences" (it is a tab under the title) -> click "edit" and under "kms encription" you will see the key used. –

    Carlos B

    Jan 24 at 21:27

    Add a comment

    0

    Disabling KMS encryption in the SSM config fixes this issue:

    (AWS console -> system manager -> session manager -> preferences tab)

    Source : stackoverflow.com

    Unable to decrypt any data key · Issue #51 · aws/aws

    code: kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[ os.environ["ENCRYPTION_KEY_ARN"] ]) def encrypt(plaintext): ciphertext, _ = aws_encryption_sdk.encrypt( source=plaintext, key_provider=kms_key_provider ) return b...

    New issue Jump to bottom

    Unable to decrypt any data key #51

    Closed

    ShailChoksi opened this issue on May 5, 2018 · 11 comments

    Comments

    ShailChoksi commented on May 5, 2018 •

    edited code:

    kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[

    os.environ["ENCRYPTION_KEY_ARN"]

    ])

    def encrypt(plaintext):

    ciphertext, _ = aws_encryption_sdk.encrypt(

    source=plaintext,

    key_provider=kms_key_provider

    )

    return base64.b64encode(ciphertext)

    def decrypt(ciphertext_b64):

    ciphertext = base64.b64decode(ciphertext_b64)

    plaintext, _ = aws_encryption_sdk.decrypt(

    source=ciphertext,

    key_provider=kms_key_provider,

    ) return plaintext

    FYI, this is using v1.3.2.

    I get the following error:

    Unable to decrypt any data key

    When I print out the ciphertext I can clearly see the correct encryption key arn. So I am not sure whats wrong here.

    ShailChoksi changed the title Unsupported type 89 discovered in data stream Unable to decrypt any data key on May 5, 2018

    mattsb42-aws commented on May 7, 2018

    What permissions do you have to the KMS CMK? My initial suspicion is that you have GenerateDataKey permissions but not Decrypt.

    If you turn on debug logging, you can see the error that the underlying KMS client gives. That can show you exactly what the KMS response is to your request.

    WARNING: Do not post debug logs here or anywhere else public, as they contain the entire request and response header and bodies for any AWS calls. For the KMS calls we use, that will include your plaintext data key. ShailChoksi commented on May 7, 2018 •

    edited Just checked: "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*",

    "kms:GenerateDataKey*",

    "kms:DescribeKey" ],

    is in the policy for the role. Going to turn on debugging and see how it goes.

    mattsb42-aws commented on May 7, 2018

    Are those actions granted to the CMK in question? And does the CMK's key policy have a matching (or redundant) policy?

    ShailChoksi commented on May 7, 2018

    Hmm ok maybe I am missing something. @mattsb42-aws

    Can you send me a link which explains how I check for both of those things via the AWS console?

    mattsb42-aws commented on May 7, 2018

    These[1][2] are a good starting point for understanding key policies and how they can interact with IAM (or not, as the case may be).

    You can find a brief description of this interchange in this post[3].

    [1] https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

    [2] https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html

    [3] https://forums.aws.amazon.com/thread.jspa?threadID=280836&tstart=0&messageID=845931#845931

    ShailChoksi commented on May 7, 2018

    Yup you are correct, I turned on Debugging and found the following:

    The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

    so somewhere my permissions are incorrectly set.

    ShailChoksi commented on May 7, 2018

    @mattsb42-aws hmm I am not sure if this is the best place to continue this conversation but I am stumped.

    I am able to encrypt messages (since the encrypted messages are stored in our DB)

    I am unable to decrypt using the same code.

    I double checked the policies for the role and the key. They allowed encrypt and decrypt operations. Just in case I changed to kms:* for both.

    The only issue I see is that the botocore session has the region set to us-east-2, whereas the key is in us-east-1. But then even 1 above shouldn't work right?

    mattsb42-aws commented on May 7, 2018

    To clarify, is the value stored in the ENCRYPTION_KEY_ARN environment variable a full CMK Arn or something else?

    When KMSMasterKeyProvider is handling an Arn, it will automatically determine the region from the Arn and build a KMSMasterKey instance with a client for the correct region[1].

    If you would rather continue this offline, feel free to email me at the address in my profile or PM me at this username on the AWS forums.

    [1] https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/key_providers/kms.py#L156-L163

    ShailChoksi commented on May 8, 2018

    Its a full Arn with the region name included.

    mattsb42-aws commented on May 9, 2018

    Hmmm, I think I would have to see code and policies to debug any further.

    The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

    ^ This means that you don't have access to the CMK when you are trying to decrypt. Because of this, I still think that it is a policy issue. One thing you could look for is to make sure that there are not policies (either in IAM or the key policy) that deny access to your principal (user/role) performing decrypt operations with this key (or more generally). Deny policies always take precedent over allow policies.

    Source : github.com

    Resolve KMSAccessDeniedException errors from AWS Lambda

    How do I resolve KMSAccessDeniedException errors from AWS Lambda?

    My AWS Lambda function returns a KMSAccessDeniedException error. How do I troubleshoot the issue?

    Short description

    Update the AWS Key Management Service (AWS KMS) permissions of your AWS Identity and Access Management (IAM) identity based on the error message.

    Important: If the AWS KMS key and IAM role belong to different AWS accounts, then both the IAM policy and KMS key policy must be updated.

    For more information about AWS KMS keys and policy management, see AWS managed KMS keys and customer managed keys.

    Resolution

    Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

    To resolve "KMS Exception: UnrecognizedClientExceptionKMS Message" errors

    The following error usually occurs when a function's execution role is deleted and then recreated using the same name, but with a different principal:

    Calling the invoke API action failed with this message: Lambda was unable to decrypt the environment variables because KMS access was denied. Please check the function's KMS key settings. KMS Exception: UnrecognizedClientExceptionKMS Message: The security token included in the request is invalid.

    To resolve the error, you must reset the AWS KMS grant for the function's execution role by doing the following:

    Note: The IAM user that creates and updates the Lambda function must have permission to use the KMS key.

    1.    Get the Amazon Resource Name (ARN) of the function's current execution role and KMS key, by running the following AWS CLI command:

    $ aws lambda get-function-configuration --function-name yourFunctionName

    2.    Reset the AWS KMS grant by doing one of the following:

    Update the function's execution role to a different, temporary value, by running the following update-function-configuration command:

    Important: Replace temporaryValue with the temporary execution role ARN.

    $ aws lambda update-function-configuration --function-name yourFunctionName --role temporaryValue

    Then, update the function's execution role back to the original execution role by running the following command:

    Important: Replace originalValue with the original execution role's ARN.

    $ aws lambda update-function-configuration --function-name yourFunctionName --role originalValue

    -or-

    Update the function's AWS KMS key to a different, temporary value, by running the following update-function-configuration command:

    Important: Replace temporaryValue with a temporary KMS key ARN. To use a default service key, set the kms-key-arn parameter to "".

    $ aws lambda update-function-configuration --function-name yourFunctionName --kms-key-arn temporaryValue

    Then, update the function's KMS key back to the original KMS key's ARN by running the following command:

    Important: Replace originalValue with the original KMS key's ARN

    $ aws lambda update-function-configuration --function-name yourFunctionName --kms-key-arn originalValue

    For more information, see Key policies in AWS KMS.

    To resolve "KMS Exception: AccessDeniedException KMS Message" errors

    The following error indicates that your IAM identity doesn't have the permissions required to perform the kms:Decrypt API action:

    Lambda was unable to decrypt your environment variables because the KMS access was denied. Please check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

    To resolve the error, add the following policy statement to your IAM user or role:

    Important: Replace "your-KMS-key-arn" with your KMS key ARN.

    {

    "Version": "2012-10-17",

    "Statement": [ {

    "Sid": "VisualEditor0",

    "Effect": "Allow",

    "Action": "kms:Decrypt",

    "Resource": "your-KMS-key-arn"

    } ] }

    For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console), based on your use case.

    To resolve "You are not authorized to perform" errors

    The following errors indicate that your IAM identity doesn't have one of the permissions required to access the KMS key:

    You are not authorized to perform: kms:Encrypt.

    You are not authorized to perform: kms:CreateGrant.

    User: user-arn is not authorized to perform: kms:ListAliases on resource: * with an explicit deny.

    Note: KMS permissions aren't required for your IAM identity or the function's execution role if you use the default key policy.

    To resolve these types of errors, verify that your IAM user or role has the permissions required to perform the following actions:

    kms:ListAliases kms:CreateGrant kms:Encrypt kms:Decrypt

    For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console), based on your use case.

    Example IAM policy statement that grants the permissions required to access a customer-managed KMS keyImportant: The Resource value must be "*". The kms:ListAliases action doesn't support low-level permissions. Also, make sure that you replace "your-kms-key-arn" with your KMS key's ARN.

    Source : aws.amazon.com

    Do you want to see answer or more ?
    James 7 month ago
    4

    Guys, does anyone know the answer?

    Click For Answer